ESI Come, ESI Go: Next Steps for E-Discovery
Since December, the US civil code has included electronically stored information (ESI) in its requirements for legal discovery. But surveys show most companies are unprepared to comply. What's the holdup, and how can companies move toward sustainable e-discovery management?
by Mark Edmead
When amendments to the US Federal Rules of Civil Procedure (FRCP) created new requirements for e-discovery last December, the corporate world shuddered. The wheels of justice had finally hit the information superhighway; it seemed no e-mail would ever be safe again.
Under the FRCP's General Provisions Governing Discovery; Duty of Disclosure, the term electronically stored information (ESI) replaced the musty data compilation, indicating the court's recognition that the realm of computerized information is much broader than 1970s databases. Moreover, the change made ESI an explicit component of legal discovery. Going forward, the court would expect and inspect all kinds of digitally stored records, regardless of how they were generated.
Digital information includes e-mail (and associated attachments), databases, text documents, spreadsheets, instant and text messages, and digital voice mail messages to name a few. Digital information can be produced from a diversity of software including Microsoft Office applications, financial software such as Intuit QuickBooks, e-mail interfaces, and instant messaging clients. As of December 1, 2006, all of these information formats are on the legal hit list.
The Uphill Battle of E-Discovery
E-discovery requirements impose unique challenges on businesses because of the way electronic information is created, modified, communicated, stored, and scrapped by computer systems.1 Litigators and judges must now sift through an enormous volume of data—more than 800 megabytes per employee per year every year.2
Storing the information is one thing; enabling its fast and painless retrieval is a much more complex process that includes:
- Tracking information that meets specific discovery criteria
- Establishing and implementing digital information archiving rules
- Determining how archiving rules should be applied to various roles, locations, and workers
- Assessing the consequences of noncompliance.
Distribution compounds the challenges of volume. Often, the same information is stored in multiple locations at the same time. For example, when an e-mail is sent across the Internet, one or more systems generally replicate the message. After it reaches its location, it's stored on both the sender's and receiver's computers. If those computers are on a corporate network, the message is likely to be backed up daily in a centralized archive. And both the sender and recipient are free to copy it to other people, network servers, local hard drives, and storage media.
The problem arises when impending litigation—real, threatened, or even imagined—compels companies to isolate and protect relevant ESI. Whatever the challenges of volume and distribution, the information must be frozen when:
- A lawsuit is anticipated
- A complaint is filed against the company
- A lawsuit is pending or has been initiated
- A discovery request is received.
The FRCP changes are meant to force companies to address, not avert, the challenges of e-discovery, beginning with information retention and ending with delivery of ESI to the legal requestor. In other words, ESI wasn't added to the FRCP despite its slippery nature; it was added largely because of it.
Attorney Michael R. Arkfeld, author of Electronic Discovery and Evidence Best Practices Guide, notes that there are many ways that ESI differs from conventional information. First, digital information is dynamic. A paper document is essentially static in nature, but digital data can change in place. Maintaining and certifying the integrity of digital data requires additional work. Also, massive data volume can make managing and retrieving information a difficult, expensive task.
According to a November 2006 study issued by the Enterprise Strategy Group (ESG)3, the main challenges faced by organizations when producing electronic records include:
- Unavailability of data from offline media, such as backup tapes
- Lack of effective search-and-retrieve tools
- Insufficient IT resources
- Unclear and unreasonable request from courts and attorneys
- Poor communication between IT and legal teams
- Lack of legal and compliance resources
How are companies addressing these challenges? Robert Pease, vice president of marketing for MessageGate, an e-mail-monitoring software vendor, says that companies aren't really sure what they should be doing. They look at the e-discovery rules from a legal perspective, but don't quite know how they should apply to their technology infrastructure. Pease notes that some companies have attempted to respond by limiting e-mail or getting rid of it altogether; others are adopting a wait-and-see attitude.
In general, attempting to avoid e-discovery rules by eliminating ESI is the legal equivalent of holding your breath to cure halitosis: it's not a sustainable practice; it drives communications to even less secure channels, such as text messaging and public e-mail services; and it breeds employee discontent, which can only compound legal risk. Suppressing e-mail use alone is also futile, since it only addresses one form of electronic information.
A Phased Approach to ESI Management
E-mail, including attachments, is the number-one type of record requested and produced to support a legal proceeding or regulatory inquiry.4 General office-productivity documents, invoices and other customer records, and financial statements are next on the list. Pease recommends companies step back and look at these types of data, then take the time to classify it properly. While most companies do this with their conventional documents and even some ESI, many do not apply the discipline to e-mail classification.
Companies can start the classification process by locating all of their enterprise data. Based on a comprehensive ESI inventory, companies can create an index with searchable metadata, such as content creator, date of last access, document description, keywords, sensitivity classification, and so on.
Getting data in order (and providing metadata) can certainly be a monumental task. Experts like Rick Wolf of Lexakos, a business advisory service, recommend a phased approach. Wolf's one-year timeline for implementing a comprehensive information lifecycle management (ILM) policy includes:
- Create a cross-functional ILM task force with an initial goal of conducting a risk assessment
- Assess existing document management and e-mail systems
- Examine business functions to identify document flow and the types of documents used
- Begin an e-mail and backup-tape inventory
- Require the task force to send its risk assessment report to senior management
- Create a project plan and budget proposal tied to ESI lifecycle management, including the implementation of a document management system
- Create an inventory of record types for each individual business function across departments
- Create a data storage and destruction schedule for the various record types
- Evaluate recommendations for the document management system
- Develop new records management policies
- Evaluate document management systems and vendors
- Develop and promote user awareness
- Disseminate new records management policies
- Train employees on new policies and procedures
- Issue an RFP to document management system vendors (if required)
Throughout these processes, the ILM team's primary objective will be to instill best practices for managing the ESI lifecycle. This includes reviewing and updating data retention (and destruction) policies; evaluating new information-exchange technologies, such as instant messaging; understanding the nature of the company's actual ESI; and measuring the risk associated with inadequate policies and practices.
Appropriate resource allocation is a key success factor for effective ESI management. Companies should be prepared to dedicate funds and staff resources to develop efficient and sustainable systems and processes. At the same time, however, they should strive to reduce the costs of data retention, minimize system complexity, and reduce redundant storage and processes. Failing any of these goals increases the cost of document discovery, as well as the likelihood of noncompliance with e-discovery requirements.
1Withers, K. (Spring 2006). Electronically stored information: The December 2006 amendments to the Federal Rules of Civil Procedure. Northwestern Journal of Technology and Intellectual Property. 4(2).
2Lyman, Peter and Varian, Hal (2003). How Much Information 2003. University of California at Berkeley, School of Information Management and Systems.
3Babineau, Brian (September 2006). Separating Backup and Archive Processes to Meet New Challenges of Information Management. Enterprise Strategy Group (ESG).
4McKnight, John (March, 2006). Digital Archiving: End-User Survey & Market Forecast 2006-2010. Enterprise Strategy Group (ESG).
Mark Edmead, MBA, CISSP, CISA, has over 25 years of experience in computer systems architecture, information security, and project management. He currently teaches audit and IT security courses for the Institute of Internal Auditors (IIA) and Learning Tree International.